COMMAND

    A1Stats

SYSTEMS AFFECTED

    Anyone using a A1Stats that was downloaded before 24/04/01

PROBLEM

    nemesystm of the  DHC found following.   A1Stats is a  CGI package
    to track website traffic.   The package has a  view files bug  and
    also gives the possibility to overwrite existing files.

    To test these vulnerabilities, try the following:

        www.server.com/cgi-bin/a1stats/a1disp3.cgi?../../../../../../../etc/passwd
        www.server.com/cgi-bin/a1stats/a1disp4.cgi?../../../../../../../etc/passwd

    These two will give you /etc/passwd:

        www.server.com/cgi-bin/a1stats/a1disp2.cgi?../../../../../../../etc/passwd

    This will also give you /etc/passwd but it will show it in a  very
    mangled manner as the  CGI adds HTML tags  to what it thinks  is a
    file it created itself.

    One can also open a file and wreck its contents:

        http://localhost/cgi-bin/a1stats/a1disp.cgi?|echo%20>a1admin.txt|

    will  empty  a1admin.txt.   a1admin.txt  contains  the password to
    change settings of  the CGI.   When this file  is removed, no  one
    can log in anymore.

SOLUTION

    Downloading the latest version will solve this problem.